SB2025043016 - Multiple vulnerabilities in XWiki platform

Description

This security bulletin contains information about 2 vulnerabilities.

1) Missing Authorization (CVE-ID: CVE-2025-46554)

CWE-ID: CWE-862 - Missing Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to bypass authorization checks.

The vulnerability exists due to missing authorization. A remote attacker can access the metadata of any attachment in the wiki using the wiki attachment REST endpoint.

2) Missing Authorization (CVE-ID: CVE-2025-23025)

CWE-ID: CWE-862 - Missing Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote user to escalate privileges.

The vulnerability exists due to improper access control in the realtime WYSIWYG editor when handling realtime editing sessions involving users with script or programming rights. A remote user can insert a script rendering macro into edited content to escalate privileges.

User interaction is required, and exploitation depends on another participant in the same realtime editing session having script or programming rights.

Remediation

Install update from vendor's website.

References

• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-r5cr-xm48-97xp
• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rmm7-r7wr-xpfg
• https://github.com/advisories/GHSA-rmm7-r7wr-xpfg